Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This week we focus on #5 – Risk Assessment drives your baseline.

One identified result from the 2012 HIPAA Audits to date has been that most audited covered entities (95%) did not perform a Risk Analysis, also known as Risk Assessment, which is a Required Implementation Specification within the HIPAA Security Rule.  This accounts for 12% of the HIPAA Security Rule findings and observations.

HIPAA 2012 Audit Security Findings and Observations

The HIPAA Security Rule and Audit Protocol Program defines the Risk Assessment as “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

With respect to the network, A network risk assessment will identify which security gaps and vulnerabilities exist in the security implementation in the network.  These gaps and vulnerabilities will impact the risk of PHI theft or loss.  This information should play into the broader program risk assessment, so that you have the information you need to understand your current state of compliance and protection, and also to prioritize and develop a strategy to protect PHI and lead to HIPAA compliance.  After knowing where your PHI is, the risk assessment, including the network risk assessment, is the critical next step towards PHI security.

Recommendation: Build a risk assessment program that includes a network risk assessment, process and procedures assessment, and policy assessment.

Cisco offers a HIPAA security assessment service, if you do not want to perform it in-house, or are looking for a security services partner to help you with your risk programs.   To learn more about Cisco® compliance solutions and HIPAA services, please visit www.cisco.com/go/compliance.


Terri Quinn

Security Solutions Manager

Security Technology Group